OWASP ASIDE/ESIDE

OWASP ASIDE/ESIDE project consist of two branches, the ASIDE branch that focuses on detecting software vulnerabilities and helping developer write secure code, and the ESIDE branch that focuses on help educating students secure programming knowledge and practices. Details about ESIDE are described [here].

Introduction

ASIDE is an abbreviation for Application Security plugin for Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.

Description

ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code.

ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code.

An older version of ASIDE DEMO shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.

Licensing

OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is ASIDE/ESIDE?

OWASP ASIDE provides:

Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code

Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices

Project Leaders

Related Projects

Openhub

Quick Download

Runnable plugins and installation guidelines

The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from here. You also need to download the complementary logging facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.

The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from here. ASIDE CodeAnnotate is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here.

New! We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon Eclipse PDT framework, you can download the plugin here. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded here, and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here. A good PHP open source project you can try the plugin against is Moodle;

In Print

N/A

Classifications

ASIDE project has been continuously under active research, development, and evaluation.
Involvement in the development and promotion of ASIDE is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

Try ASIDE and email your feedback, comments to the project leaders.

Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!

ESIDE

Introduction

ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes
on the out of class, in the IDE time by providing layered educational opportunities whenever the
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding
principles and practices concurrently with the lessons they are learning in their respective courses.

Description

Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an
interactive system that provides a layered educational opportunity. Because students are contextually
“in the moment” when the support becomes available, they are more receptive to making the
connection between classroom principles and coding practices. A secondary effect is the exponential
increase in instructional exposure which has been proven to be successful in other instructional areas.
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the
principles and practices of secure coding throughout their educational experience. To this end, we have
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates
a layered educational intervention based on the targeted code. The first layer is a warning icon that
is placed in the left margin of the code editor. Hovering the icon reveals a short message that
encourages further interaction. When the student clicks the icon, ESIDE generates a
content specific list of educational options. Each of these options are accompanied with a short
explanation of the issue at hand. For each generated list, there also exists the option to
access an explanation page that provides a more comprehensive explanation of what was
discovered, why it is important, and how to integrate the provided principles into coding practices.

Runnable ESIDE Prototype and Installation Guidelines

The recent publicly available ESIDE plugin can be downloaded from here. You also need to download the complementary logging facility to make ESIDE work properly. ESIDE is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.

Open Source Code

Priorities and get involved

As of March 17, 2015 the priorities are:

1. Move xml into a database.

2. Create a public repository of customized ESIDE support for specific courses.

Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!

Purpose: LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java EE Applications for common types of security vulnerabilities found in Web Applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project. The project's second push is being led by Pablo Martín Pérez, Evalues Lab ICT Security Researcher, developing LAPSE+, an enhanced version of LAPSE.

Release description: LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.

OWASP Java Encoder Project

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts (primarily JavaScript) are injected into otherwise trusted web sites. You can read more about Cross Site Scripting here: Cross-site_Scripting_(XSS). One of the primary defenses to stop Cross Site Scripting is a technique called Contextual Output Encoding. You can read more about Cross Site Scripting prevention here: XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet.

Introduction

Contextual Output Encoding is a computer programming technique necessary to stop Cross Site Scripting. This project is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. It provides numerous encoding functions to help defend against XSS in a variety of different HTML, JavaScript, XML and CSS contexts.

Quick Overview

The OWASP Java Encoder library is intended for quick contextual encoding with very little overhead, either in performance or usage. To get started, simply add the encoder-1.1.1.jar, import org.owasp.encoder.Encode and start encoding.

Please look at the javadoc for Encode to see the variety of contexts for which you can encode. Tag libraries and JSP EL functions can be found in the encoder-jsp-1.1.1.jar.

If you want to try it out or see it in action, head over to "Can You XSS This? (.com)" and hit it with your best XSS attack vectors!

News and Events

In Print

Classifications

The general API pattern is to utilize the Java Encoder Project in your user interface code and wrap all variables added dynamically to HTML with a proper encoding function. The encoding pattern is "Encode.forContextName(untrustedData)", where "ContextName" is the name of the target context and "untrustedData" is untrusted output.

Basic HTML Context

<body><%= Encode.forHtml(UNTRUSTED) %></body>

HTML Content Context

HTML Attribute context

Generally Encode.forHtml(UNTRUSTED) is also safe but slightly less efficient for the above two contexts (for textarea content and input value text) since it encodes more characters than necessary but might be easier for developers to use.

JSP Tag Library

Maven

The following describes the Grave Accent XSS issue with unpatched versions of Internet Explorer. Thank you to Rafay Baloch for bringing this to our attention and to Jeff Ichnowski for the workaround.

Introduction

The grave accent (`), ASCII 96, hex 60 (wikipedia) is subject to a critical flaw in unpatched Internet Explorer. There is no possible encoding of the character that can avoid the issue. For a more in depth presentation on the issue discussed herein, please see Mario Heidrech's presentation.

Background

In Internet Explorer, the grave accent is usable as an HTML attribute quotation character, equivalent to single and double quotes. Specifically, IE treats the following as equivalent:

<body><%= Encode.forHtml(textValue) %>" /></body>

<input value="this is the value">
<input value=`this is the value`>

It is an IE extension, is not in HTML specifications (HTML4, HTML5), and is probably not well supported in other browsers.

When this snippet is run in Internet Explorer the following steps happen:

Two div elements are created with id's "a" and "b"

The script executes "a.innerHTML" which returns:

<input value=``onmouseover=alert(1)>

The script sets "b.innerHTML" to the value from (2) and is converted to the DOM equivalent of

<input value="" onmouseover="alert(1)">

The XSS issue arises from IE returning a value from innerHTML that it does not parse back into the original DOM. Patched version of IE fix this issue by returning the XSS value as a double-quoted attribute. The issue is complicated by the fact that no possible encoding of the grave accent can avoid this issue.

When...

<input value="``onmouseover=alert(1)">

...is the input, "a.innerHTML" returns the same XSS vector as it does without the encoding.

Recommend Solution

Our recommended workaround is to update any JavaScript based innerHTML read to replace the accent grave with a numeric entity encoded form: "`". As an example, the following change to the XSS vulnerable code above fixes the issue:

<script>a.innerHTML=b.innerHTML.replace(/`/g, "`");</script>

This can be done in any library code that reads the innerHTML. To follow how this addresses the issue, the innerHTML from step 2 of the issue is converted to:

<input value=&#96;&#96;onmouseover=alert(1)>

Since the browser will no longer see the grave accents as an empty attribute, it will convert the input back to a copy of its original DOM.

Other Possible Solutions

As there is no encoding option available, the following options are available to web application authors:

Do not use innerHTML copies

Filter out the accent grave from any user input

Clean up grave accents when using an innerHTML copy

OWASP Java Encoder Library Related Changes

The OWASP Java Encoder Library at its core is intended to be a XSS safe _encoding_ library. The grave accent is a legitimate and frequently used character, that cannot be encoded to avoid this bug in unpatched versions of IE. With enough user feedback, we may update the library to include one of the following options: (1) alternate, drop-in build that filters grave accents, with unchanged API, (2) new filtering methods.

Main

GoatDroid

The OWASP GoatDroid Project is a fully functional and self-contained environment for learning about Android security.

Introduction

GoatDroid requires minimal dependencies, and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location based social network, and Herd Financial, a mobile banking application.

Description

OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.

As the Android SDK introduces new features, the GoatDroid contributors will strive to implement up-to-date lessons that can educate developers and security testers on new security issues. The project currently provides coverage for most of the OWASP Top 10 Mobile Risks and also includes a bunch of other problems as well.

Contributions will always be needed in order to keep this project moving at a pace that can support the seemingly endless new problems to tackle. If you are interested, please contact the project's leaders or send an email to the OWASP Mobile Security Project mailing list. We welcome code contributors, beta testers, new feature suggestions, and feedback always!

Licensing

GoatDroid is published by OWASP under the GPLv3 license. You should read and accept the LICENSE before you use, modify, and/or redistribute this software.